openstack/keystone
Code Issues Proposed changes

Update role policies for system admin

Browse Source 
This change makes the policy definitions for admin role operations
consistent with other role policies. Subsequent patches will
incorporate:

 - domain user test coverage
 - project user test coverage

Change-Id: I35a2af10d47e000ee6257ce16c52c7e49a62b033
Related-Bug: 1806713
Closes-Bug: 1805402
This commit is contained in:
Lance Bragstad 2018-12-04 18:07:07 +00:00
parent d437365444
commit 2ca4836a95
3 changed files with 112 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
keystone/common/policies/role.py
View File

@ -23,6 +23,18 @@ deprecated_list_role = policy.DeprecatedRule(
name=base.IDENTITY % 'list_roles',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_role = policy.DeprecatedRule(
name=base.IDENTITY % 'update_role',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_role = policy.DeprecatedRule(
name=base.IDENTITY % 'create_role',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_role = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_role',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Stein release, the role API now understands default roles and
@ -64,25 +76,34 @@ role_policies = [
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_role',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create role.',
operations=[{'path': '/v3/roles',
'method': 'POST'}]),
'method': 'POST'}],
deprecated_rule=deprecated_create_role,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_role',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update role.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_role,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_role',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete role.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'DELETE'}]),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_role,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_domain_role',
check_str=base.RULE_ADMIN_REQUIRED,

53
keystone/tests/unit/protection/v3/test_roles.py
View File

@ -151,3 +151,56 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserRoleTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_roles(self):
create = {'role': unit.new_role_ref()}
with self.test_client() as c:
c.post('/v3/roles', json=create, headers=self.headers)
def test_user_can_update_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref()
)
update = {'role': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch(
'/v3/roles/%s' % role['id'], json=update, headers=self.headers,
)
def test_user_can_delete_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref()
)
with self.test_client() as c:
c.delete('/v3/roles/%s' % role['id'], headers=self.headers)

32
releasenotes/notes/bug-1805402-75d0d93f31af620f.yaml Normal file
View File

@ -0,0 +1,32 @@
---
features:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides role
policies.
deprecations:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role policies have been deprecated. The ``identity:get_role`` and
``identity:list_roles`` policies now use ``role:reader and
system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_role``, ``identity:update_role``, and
``identity:delete_role`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``. These new
defaults automatically account for system-scope and support a read-only
role, making it easier for system administrators to delegate subsets of
responsibility without compromising security. Please consider these new
defaults if your deployment overrides the role policies.
security:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API now uses system-scope and default roles to provide
better accessibility to users in a secure way.